github-actions[bot]
commented
4 months ago | Overall Project | 99.48% | :green_apple: |
|---|
There is no coverage information present for the Files changed
Closed renovate[bot] closed 4 months ago
github-actions[bot]
commented
4 months ago | Overall Project | 99.48% | :green_apple: |
|---|
There is no coverage information present for the Files changed
github-actions[bot]
commented
4 months ago Your Pull Request code is being promoted! Please follow the link below. Main Merge Workflow
This PR contains the following updates:
6.1.5->6.1.6GitHub Vulnerability Alerts
CVE-2024-22262
Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect https://cwe.mitre.org/data/definitions/601.html attack or to a SSRF attack if the URL is used after passing validation checks.
This is the same as CVE-2024-22259 https://spring.io/security/cve-2024-22259 and CVE-2024-22243 https://spring.io/security/cve-2024-22243 , but with different input.
Release Notes
spring-projects/spring-framework (org.springframework:spring-web)
### [`v6.1.6`](https://togithub.com/spring-projects/spring-framework/releases/tag/v6.1.6) #### :star: New Features - Log column type for limited support message in `JdbcUtils.getResultSetValue` [#32601](https://togithub.com/spring-projects/spring-framework/issues/32601) - Consistent support for generic `FactoryBean` type matching when using `getBeanProvider` [#32590](https://togithub.com/spring-projects/spring-framework/issues/32590) - `@RequestParam` binding does not support params with an empty array "\[]" suffix [#32577](https://togithub.com/spring-projects/spring-framework/issues/32577) - Maximum Request Size handling support for Undertow in StandardMultipartHttpServletRequest [#32549](https://togithub.com/spring-projects/spring-framework/issues/32549) - Introduce common support for is-null-safe checks in SpEL nodes [#32516](https://togithub.com/spring-projects/spring-framework/issues/32516) - Avoid additional unnecessary `Annotation` array cloning in `TypeDescriptor` [#32476](https://togithub.com/spring-projects/spring-framework/issues/32476) - Avoid cloning empty `Annotation` array in `TypeDescriptor` [#32405](https://togithub.com/spring-projects/spring-framework/pull/32405) #### :lady_beetle: Bug Fixes - Refine scheme, userinfo, host and port parsing in UriComponentsBuilder [#32616](https://togithub.com/spring-projects/spring-framework/issues/32616) - "GET must not have a request body" exception with OkhttpClient and BufferingClientHttpRequestFactory [#32612](https://togithub.com/spring-projects/spring-framework/issues/32612) - JMSTemplate.sendAndReceive does not propagate tracer over the wire [#32606](https://togithub.com/spring-projects/spring-framework/issues/32606) - Calling Kotlin suspend functions in non-reactive application crashes due to unresolvable class [#32599](https://togithub.com/spring-projects/spring-framework/issues/32599) - `MethodIntrospector.selectMethods()` fails to detect bridge methods across ApplicationContexts [#32586](https://togithub.com/spring-projects/spring-framework/issues/32586) - Fix handling value class with private constructor on proxy [#32536](https://togithub.com/spring-projects/spring-framework/pull/32536) - ReactorNettyClientResponse should not dispose connection [#32528](https://togithub.com/spring-projects/spring-framework/issues/32528) - `CompoundExpression` omits null-safe syntax in AST string representation of null-safe selection/projection in SpEL [#32515](https://togithub.com/spring-projects/spring-framework/issues/32515) - Generic Kotlin controllers got broken in 6.1.5 [#32510](https://togithub.com/spring-projects/spring-framework/issues/32510) - WebFlux Blocking controller runs on non-blocking thread when request input data present [#32502](https://togithub.com/spring-projects/spring-framework/issues/32502) - Generic interface on `FactoryBean` class not autowired in case of `targetType` mismatch [#32489](https://togithub.com/spring-projects/spring-framework/issues/32489) - `HeaderContentNegotiationStrategy.resolveMediaTypes()` throws unexpected `InvalidMimeTypeException` [#32483](https://togithub.com/spring-projects/spring-framework/issues/32483) - JmsUtils.commitIfNecessary catches and ignores JMS IllegalStateException, losing message with ActiveMQ Artemis [#32473](https://togithub.com/spring-projects/spring-framework/issues/32473) - Missing bean class in native image with a Kotlin nested class [#32472](https://togithub.com/spring-projects/spring-framework/issues/32472) - Spring MVC re-creates form data from request params and re-encoding can change the content-length [#32471](https://togithub.com/spring-projects/spring-framework/issues/32471) - Unhandled JMS exceptions are not always recorded as observation errors [#32458](https://togithub.com/spring-projects/spring-framework/issues/32458) - Consistently apply TaskDecorator to ManagedExecutorService as well [#32455](https://togithub.com/spring-projects/spring-framework/issues/32455) #### :notebook_with_decorative_cover: Documentation - SimpleAsyncTaskScheduler: Returned ScheduledFuture does not track provided task execution [#32589](https://togithub.com/spring-projects/spring-framework/issues/32589) - Remove link to unrelated method in javadoc of AnnotatedBeanDefinitionReader [#32560](https://togithub.com/spring-projects/spring-framework/pull/32560) - Fix typos and improve wording in reference documentation [#32557](https://togithub.com/spring-projects/spring-framework/pull/32557) - Document that active profiles are set at build time with AOT [#32543](https://togithub.com/spring-projects/spring-framework/issues/32543) - Fix broken link to vavr in the reference guide [#32494](https://togithub.com/spring-projects/spring-framework/pull/32494) - Document AOT limitations related to Kotlin identifiers with backticks [#32487](https://togithub.com/spring-projects/spring-framework/issues/32487) - Add Javadoc since to AbstractClientHttpRequestFactoryWrapper.getDelegate() [#32474](https://togithub.com/spring-projects/spring-framework/pull/32474) - Default strategy for ProblemDetail error codes wrongly document how "detail" is supported [#32446](https://togithub.com/spring-projects/spring-framework/pull/32446) #### :hammer: Dependency Upgrades - Upgrade to Micrometer 1.12.5 [#32596](https://togithub.com/spring-projects/spring-framework/issues/32596) - Upgrade to Reactor 2023.0.5 [#32592](https://togithub.com/spring-projects/spring-framework/issues/32592) #### :heart: Contributors Thank you to all the contributors who worked on this release: [@Banuelorigni](https://togithub.com/Banuelorigni), [@LinorDolev](https://togithub.com/LinorDolev), [@T45K](https://togithub.com/T45K), [@izeye](https://togithub.com/izeye), [@kilink](https://togithub.com/kilink), [@quaff](https://togithub.com/quaff), and [@qww1552](https://togithub.com/qww1552)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.